From a5c03db798d258e776995ec7c860edc689acd3ee Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sun, 18 Oct 2015 03:37:46 -0400
Subject: [PATCH] Security: Added options to validate username/password on logon (#1490500)
---
CHANGELOG | 1 +
program/include/rcmail.php | 24 +++++++++++++++++++++---
config/defaults.inc.php | 9 +++++++++
3 files changed, 31 insertions(+), 3 deletions(-)
diff --git a/CHANGELOG b/CHANGELOG
index 6456fa6..c6ac453 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -9,6 +9,7 @@
- PGP encryption support via Mailvelope integration
- PGP encryption support via Enigma plugin
- PHP7 compatibility fixes (#1490416)
+- Security: Added options to validate username/password on logon (#1490500)
- Security: Improve randomness of security tokens (#1490529)
- Security: Use random security tokens instead of hashes based on encryption key (#1490404)
- Security: Improved encrypt/decrypt methods with option to choose the cipher_method (#1489719)
diff --git a/config/defaults.inc.php b/config/defaults.inc.php
index d53b700..eef7de4 100644
--- a/config/defaults.inc.php
+++ b/config/defaults.inc.php
@@ -306,6 +306,7 @@
// Lifetime of LDAP cache. Possible units: s, m, h, d, w
$config['ldap_cache_ttl'] = '10m';
+
// ----------------------------------
// SYSTEM
// ----------------------------------
@@ -377,6 +378,14 @@
// UPDATE users SET username = LOWER(username);
$config['login_lc'] = 2;
+// Maximum length (in bytes) of logon username and password.
+$config['login_username_maxlen'] = 1024;
+$config['login_password_maxlen'] = 1024;
+
+// Logon username filter. Regular expression for use with preg_match().
+// Example: '/^[a-z0-9_@.-]+$/'
+$config['login_username_filter'] = null;
+
// Includes should be interpreted as PHP files
$config['skin_include_php'] = false;
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index 81a1c81..d74b705 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -493,7 +493,7 @@
*
* @return boolean True on success, False on failure
*/
- function login($username, $pass, $host = null, $cookiecheck = false)
+ function login($username, $password, $host = null, $cookiecheck = false)
{
$this->login_error = null;
@@ -506,10 +506,22 @@
return false;
}
+ $username_filter = $this->config->get('login_username_filter');
+ $username_maxlen = $this->config->get('login_username_maxlen', 1024);
+ $password_maxlen = $this->config->get('login_password_maxlen', 1024);
$default_host = $this->config->get('default_host');
$default_port = $this->config->get('default_port');
$username_domain = $this->config->get('username_domain');
$login_lc = $this->config->get('login_lc', 2);
+
+ // check input for security (#1490500)
+ if (($username_maxlen && strlen($username) > $username_maxlen)
+ || ($username_filter && !preg_match($username_filter, $username))
+ || ($password_maxlen && strlen($password) > $password_maxlen)
+ ) {
+ $this->login_error = self::ERROR_INVALID_REQUEST;
+ return false;
+ }
// host is validated in rcmail::autoselect_host(), so here
// we'll only handle unset host (if possible)
@@ -595,7 +607,7 @@
$storage = $this->get_storage();
// try to log in
- if (!$storage->connect($host, $username, $pass, $port, $ssl)) {
+ if (!$storage->connect($host, $username, $password, $port, $ssl)) {
// Wait a second to slow down brute-force attacks (#1490549)
sleep(1);
return false;
@@ -643,7 +655,7 @@
$_SESSION['storage_host'] = $host;
$_SESSION['storage_port'] = $port;
$_SESSION['storage_ssl'] = $ssl;
- $_SESSION['password'] = $this->encrypt($pass);
+ $_SESSION['password'] = $this->encrypt($password);
$_SESSION['login_time'] = time();
if (isset($_REQUEST['_timezone']) && $_REQUEST['_timezone'] != '_default_') {
@@ -1069,6 +1081,12 @@
// failed login
if ($failed_login) {
+ // don't fill the log with complete input, which could
+ // have been prepared by a hacker
+ if (strlen($user) > 256) {
+ $user = substr($user, 0, 256) . '...';
+ }
+
$message = sprintf('Failed login for %s from %s in session %s (error: %d)',
$user, rcube_utils::remote_ip(), session_id(), $error_code);
}
--
Gitblit v1.9.1